Data Breach Notifications: Delays Matter

By: Stephen Midgley | 9/23/2015

While many businesses are making great strides in protecting themselves against data breaches, all this hard work can be undone when a breach occurs. It’s impossible to guard against everything, so it is important to know exactly what to do once a breach happens. Post-breach, time matters. Delays can have disastrous consequences.

I recently contributed an article for TechWeek Europe on Global Data Breach Notification - How Long Should You Wait, which addresses both the importance of promptly notifying those affected by a breach as well as the broad range of data breach requirements that exist globally.

Data breach notifications are a requirement of many laws designed to protect consumer data, but they have broader implications that force companies to take responsibility for harm caused by a data leak. Across the globe, there are nuances to data breach legislation thatrequire a deep understanding. In the UK and EU, for example, there are “recommendations" by the ICO, sector-specific requirements such as the Privacy and Electronic Communications Directive, and the upcoming EU General Data Protection Regulation (EU GDPR). Compliance within the United States is even more complicated, with State and industry-regulators, as well as newly affirmed oversight from the FTC.

As addressed in my article on TechWeek Europe, the rule of thumb is that your data breach protection policy should accommodate a fast turnaround in data breach notification. In a real world context, this can be quite challenging, as you need to establish what was leaked, if an incident (such as mobile device loss) should be escalated (what if it was actually stolen?), and when exactly the breach occurred (which may be delayed if an employee doesn’t report a loss right away).

As you can see, it’s important to be able to determine if a breach has occurred, what information has been exposed, and how many people are affected by it. To do so, you need technology in place to not only encrypt device data, but to track stolen or lost devices, confirm whether the data has been accessed, and then wipe the device if it can’t be retrieved—the services we provide with Absolute Data & Device Security (DDS). In some cases, this may mean no data breach notification is required; in others, it can provide information to regulators that can help mitigate the damage of a data breach.

Financial Services